服务器配置
注:服务器需加域,以便调用OU
1.添加网络策略服务(NAPS)
2.新建用户组
3.配置NAPS
路由和远程访问项目默认即可。
配置完成后讲该策略置顶
路由器交换机配置
1.H3C配置
radius nas-ip interface Vlan-interface348
radius scheme cdg primary authentication 10.1.41.170 key cipher $c$3$I82GnFIoAYRWdrSnDwrZ2vSAqjfnikRuGjryrkEMjg== user-name-format without-domain
radius scheme system user-name-format without-domain domain cdg authentication login radius-scheme cdg authorization login radius-scheme cdg accounting login none domain system domain default enable cdg
注:做完上述配置后使用admin账号登录是用户名需使用admin@system
2.华为配置
radius-server template cdg radius-server shared-key cipher xxx radius-server authentication 10.1.41.171 1812 source LoopBack 0 weight 80 radius-server authentication 10.1.41.169 1812 source LoopBack 0 weight 60 undo radius-server user-name domain-included radius-attribute nas-ip 10.16.208.1 domain cdg admin ssh authentication-type default password aaa authentication-scheme default authentication-mode local radius authentication-scheme radius authentication-mode radius authentication-scheme cdg authentication-mode radius authorization-scheme default accounting-scheme default service-scheme cdg admin-user privilege level 15 service-scheme default admin-user privilege level 15 domain default authentication-scheme default service-scheme default radius-server default domain default_admin authentication-scheme default domain cdg authentication-scheme cdg service-scheme cdg radius-server cdg local-user admin@default password cipher xxx local-user admin@default privilege level 15 local-user admin@default service-type terminal ssh local-user cdg-admin@default password cipher xxx local-user cdg-admin@default privilege level 15 local-user cdg-admin@default service-type terminal ssh
注1:做完上述配置后如果需要使用本地账号登录设备,需单独创建账号,如下。然后登录设备时使用admin@default来登录即可。
local-user admin@default password irreversible-cipher $1a$FoAG0ST&R8$7Vl\Qgi(bO9r"#G<4tWSjU)M(,ZH+&o57cEM"a_.$ local-user admin@default privilege level 15 local-user admin@default service-type terminal ssh
查用命令
<HBSY-OA-1#1F409-CSW1>dis aaa online-fail-record all ------------------------------------------------------------------------------ User name : admin@default Domain name : default User MAC : - User access type : SSH User IP address : 10.1.13.100 User IPV6 address : - User ID : 16000 User login time : 2022/11/10 15:16:21 User online fail reason : Local authentication reject Authen reply message : Authentication fail
<HBSY-OA-1#1F409-CSW1>dis radius-server configuration ------------------------------------------------------------------------------ Server-template-name : cdg Protocol-version : standard Traffic-unit : B Shared-secret-key : %^%#Gc}t@S%FpS2R\W;ox8~%,.'kO&]b[&PnEFJP>NQG%^%# Group-filter : class Timeout-interval(in second) : 5 Retransmission : 3 EndPacketSendTime : 3 Dead time(in minute) : 5 Domain-included : NO NAS-IP-Address : 10.15.248.1 Calling-station-id MAC-format : xxxx-xxxx-xxxx Called-station-id MAC-format : XX-XX-XX-XX-XX-XX Service-type : - NAS-IPv6-Address : :: Server algorithm : master-backup Detect-interval(in second) : 60 Authentication Server 1 : 10.1.41.171 Port:1812 Weight:80 [UP] Vrf:- LoopBack:NULL Source IP: 10.15.248.1 Authentication Server 2 : 10.1.41.169 Port:1812 Weight:60 [UP] Vrf:- LoopBack:NULL Source IP: 10.15.248.1 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Server-template-name : default Protocol-version : standard Traffic-unit : B Shared-secret-key : Group-filter : class Timeout-interval(in second) : 5 Retransmission : 3 EndPacketSendTime : 3 Dead time(in minute) : 5 Domain-included : NO NAS-IP-Address : - Calling-station-id MAC-format : xxxx-xxxx-xxxx Called-station-id MAC-format : XX-XX-XX-XX-XX-XX Service-type : - NAS-IPv6-Address : :: Server algorithm : master-backup Detect-interval(in second) : 60 ------------------------------------------------------------------------------ Total of radius template :2
<HBSY-OA-1#1F409-CSW1>dis aaa configuration Domain Name Delimiter : @ Domainname parse direction : Left to right Domainname location : After-delimiter Administrator user default domain: cdg Normal user default domain : default Domain : total: 128 used: 3 Authentication-scheme : total: 129 used: 3 Accounting-scheme : total: 128 used: 1 Authorization-scheme : total: 128 used: 1 Service-scheme : total: 128 used: 2 Recording-scheme : total: 64 used: 0 Local-user : total: 1000 used: 4 Local-user block retry-interval : 5 Min(s) Local-user block retry-time : 5 Local-user block time : 5 Min(s) Remote-user block retry-interval : 30 Min(s) Remote-user block retry-time : 30 Remote-user block time : 30 Min(s) Session timeout invalid enable : No
个例:个别交换机按照上述配置后仍登录不成功。
报错如下:
<CN-WJCY-1F-OFFI-WLAC01>dis aaa online-fail-record all User name : hen.xing Domain name : cdg User MAC : - User access type : SSH User IP address : 10.1.13.100 User IPV6 address : - User ID : 9 User login time : 2024/01/10 15:23:00 User online fail reason : Authorization data error Authen reply message : Authentication fail User name to server : hen.xing
解决:查看设备检查授权信息失败后是否允许用户上线。
authorization-info check-fail policy 命令用来配置设备检查授权信息失败后是否允许用户上线。大部分设备缺省情况下,设备检查授权信息失败后,允许用户上线。
[CN-WJCY-1F-OFFI-ACC11-POE]authorization-info check-fail policy ? offline Offline, the default is online. online Online, the default is online.
但是个别设备为缺省情况下,设备检查授权信息失败后,不允许用户上线。
[CN-WJCY-1F-OFFI-WLAC01]authorization-info check-fail policy ? offline Offline, the default is offline. online Online, the default is offline.
此时需在全局下添加命令:authorization-info check-fail policy online
官网链接:https://support.huawei.com/enterprise/zh/doc/EDOC1100305532/2aed63b0
看看天上,于是我去了满是风雪的地方
